[SCM] GNU gnutls branch, master, updated. gnutls_3_0

gnutls-commit
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_0-137-g6d0c9ec

From:	Nikos Mavrogiannopoulos
Subject:	[SCM] GNU gnutls branch, master, updated. gnutls_3_0_0-137-g6d0c9ec
Date:	Thu, 01 Sep 2011 08:53:13 +0000
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=6d0c9ec20702e9f06eebd8aef94ad5650568e174

The branch, master has been updated
       via  6d0c9ec20702e9f06eebd8aef94ad5650568e174 (commit)
       via  faa9a78ed364a310c10ad3d9b7daa7e31a05139d (commit)
       via  f7fe9132f54031833f3b8678f474b28fd7a14894 (commit)
       via  d70186fe142d0943272a10b57d71e359aeb707e7 (commit)
       via  4649a32201d1977c9b573ab9328929f5c30dc20b (commit)
       via  7f155df13ba76f4c1cac9c6862e25b70eb4eec3c (commit)
      from  34365450fd427b4eb98290c73b161b85d1d90b5f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 NEWS                          |    2 +-
 configure.ac                  |    2 +-
 doc/cha-bib.texi              |    4 +++
 doc/cha-gtls-app.texi         |   51 +++++++++++++++++++++++++++++++++-------
 doc/examples/ex-serv-pgp.c    |    2 +-
 doc/latex/gnutls.bib          |   13 +++++++++-
 lib/system_override.c         |   14 +++++------
 m4/hooks.m4                   |    4 +-
 tests/openpgp-certs/testcerts |   18 +++++++-------
 tests/openpgpself.c           |    4 +-
 10 files changed, 79 insertions(+), 35 deletions(-)

diff --git a/NEWS b/NEWS
index e1e245d..4d787a3 100644
--- a/NEWS
+++ b/NEWS
@@ -2,7 +2,7 @@ GnuTLS NEWS -- History of user-visible changes.                
-*- outline -*-
 Copyright (C) 2000-2011 Free Software Foundation, Inc.
 See the end for copying conditions.
 
-* Version 3.0.2 (unreleased)
+* Version 3.0.2 (released 2011-09-01)
 
 ** libgnutls: OpenPGP certificate type is not enabled
 by default.
diff --git a/configure.ac b/configure.ac
index be6573b..fc54eee 100644
--- a/configure.ac
+++ b/configure.ac
@@ -21,7 +21,7 @@ dnl Process this file with autoconf to produce a configure 
script.
 # USA
 
 AC_PREREQ(2.61)
-AC_INIT([GnuTLS], [3.0.1], address@hidden)
+AC_INIT([GnuTLS], [3.0.2], address@hidden)
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_MACRO_DIR([m4])
 
diff --git a/doc/cha-bib.texi b/doc/cha-bib.texi
index a27509b..b9791df 100644
--- a/doc/cha-bib.texi
+++ b/doc/cha-bib.texi
@@ -172,4 +172,8 @@ Work in progress, available from 
@url{http://tools.ietf.org/html/draft-pechanec-
 R. J. Anderson, "Security Engineering: A Guide to Building Dependable 
Distributed Systems", 
 John Wiley \& Sons, Inc., 2001.
 
address@hidden @anchor{RFC4821}[RFC4821]
+M. Mathis, J. Heffner, "Packetization Layer Path MTU Discovery", March 2007,
+available from @url{http://www.ietf.org/rfc/rfc4821.txt}.
+
 @end table
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index b1d364e..bf65319 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -183,10 +183,6 @@ message. This requires the following function to be used.
 
 @showfuncdesc{gnutls_transport_set_pull_timeout_function}
 
-To avoid @acronym{GnuTLS} from blocking in a DTLS handshake on
-a timer, the @funcref{gnutls_init} can be called with the
address@hidden flag (see @ref{TLS and DTLS sessions}).
-
 
 @subsection Handshake
 Once a session has been initialized and a network
@@ -242,11 +238,40 @@ A session can be deinitialized using the following 
function.
 
 @showfuncdesc{gnutls_deinit}
 
address@hidden Asynchronous operation
address@hidden can be used with asynchronous socket or event-driven programming.
+During a TLS protocol session @acronym{GnuTLS} does not block for anything 
except
+calculations. The only blocking operations are due to the transport layer 
(sockets) functions.
+Those, however, in an asynchronous scenario are typically set to
+non-blocking mode, which forces them to return @code{EAGAIN} error code 
instead of blocking. 
+In that case @acronym{GnuTLS} functions
+will return the @code{GNUTLS_E_AGAIN} error code and can be resumed the
+same way as a system call would. The only exception is 
@funcref{gnutls_record_send},
+which if interrupted subsequent calls need not to include the data to be
+sent (can be called with NULL argument).
+
+The @funcintref{select} system call can also be used in combination with the
address@hidden functions. @funcintref{select} allows monitoring of sockets
+and notifies on them being ready for reading or writing data. Note however
+that this system call cannot notify on data present in @acronym{GnuTLS}
+read buffers, it is only applicable to the kernel sockets API. Thus if
+you are using it for reading from a @acronym{GnuTLS} session, make sure
+the session is read completely. That can be achieved by checking there 
+are no data waiting to be read (using @funcref{gnutls_record_check_pending}), 
+either before the @funcintref{select} system call, or after a call to
address@hidden @acronym{GnuTLS} does not keep a write buffer,
+thus when writing @funcintref{select} need only to be consulted.
+
+In the DTLS, however, @acronym{GnuTLS} might block due to timers
+required by the protocol. To prevent those timers from blocking a DTLS 
handshake,
+the @funcref{gnutls_init} should be called with the
address@hidden flag (see @ref{TLS and DTLS sessions}).
+
 @subsection DTLS sessions
 
 Because datagram TLS can operate over connections where the peer
 of a server cannot be reliably verified, functionality is available to prevent
-denial of server attacks. @acronym{GnuTLS} requires a server
+denial of service attacks. @acronym{GnuTLS} requires a server
 to generate a secret key that is used to sign a address@hidden key of 128 bits 
or 16 bytes should be sufficient for this purpose.}. 
 That cookie is sent to the client using @funcref{gnutls_dtls_cookie_send}, and 
 the client must reply using the correct cookie. The server side
@@ -263,14 +288,22 @@ and proceed to a proper handshake.
 @showfuncdesc{gnutls_dtls_prestate_set}
 
 
-Note that the above apply to server side only. The client side cookie handling
-is part of @funcref{gnutls_handshake}. However both client and server
-side should set the correct maximum transfer unit for
+Note that the above apply to server side only and they are not mandatory to be
+used. Not using them, however, allows denial of service attacks.
+The client side cookie handling is part of @funcref{gnutls_handshake}. 
+
+Datagrams are typically restricted by a maximum transfer unit (MTU). For that
+both client and server side should set the correct maximum transfer unit for
 the layer underneath @acronym{GnuTLS}. This would allow proper fragmentation
-of DTLS messages.
+of DTLS messages and prevent messages from being silently discarded by the
+transport layer. The ``correct'' maximum transfer unit can be obtained through
+a path MTU discovery mechanism @xcite{RFC4821}.
 
 @showfuncdesc{gnutls_dtls_set_mtu}
 
address@hidden
address@hidden
+
 @node Priority Strings
 @section Priority strings
 
diff --git a/doc/examples/ex-serv-pgp.c b/doc/examples/ex-serv-pgp.c
index 4374483..5c73b93 100644
--- a/doc/examples/ex-serv-pgp.c
+++ b/doc/examples/ex-serv-pgp.c
@@ -56,7 +56,7 @@ initialize_tls_session (void)
 
   gnutls_init (&session, GNUTLS_SERVER);
 
-  gnutls_priority_set_direct (session, "NORMAL", NULL);
+  gnutls_priority_set_direct (session, "NORMAL:+CTYPE-OPENPGP", NULL);
 
   /* request client certificate if any.
    */
diff --git a/doc/latex/gnutls.bib b/doc/latex/gnutls.bib
index 7d07e89..d5ccfdf 100644
--- a/doc/latex/gnutls.bib
+++ b/doc/latex/gnutls.bib
@@ -236,8 +236,17 @@
        title = "{Using OpenPGP Keys for Transport Layer Security (TLS) 
Authentication}",
        month = "February",
        year = "2011",
-       note = "Available from \url{http://tools.ietf.org/html/rfc6091}";,
-       url = "http://tools.ietf.org/html/rfc6091";
+       note = "Available from \url{http://www.ietf.org/rfc/rfc6091.txt}";,
+       url = "http://www.ietf.org/rfc/rfc6091.txt";
+}
+
address@hidden RFC4821,
+       author = "Matt Mathis and John Heffner",
+       title = "{Packetization Layer Path MTU Discovery}",
+       month = "March",
+       year = "2007",
+       note = "Available from \url{http://www.ietf.org/rfc/rfc4821.txt}";,
+       url = "http://www.ietf.org/rfc/rfc4821.txt";
 }
 
 @Misc{ TLSCOMP,
diff --git a/lib/system_override.c b/lib/system_override.c
index 7b5db63..d8090bc 100644
--- a/lib/system_override.c
+++ b/lib/system_override.c
@@ -90,17 +90,15 @@ gnutls_transport_set_pull_function (gnutls_session_t 
session,
  * @func: a callback function
  *
  * This is the function where you set a function for gnutls to know
- * whether data are ready to be received within a time limit in
- * milliseconds. The callback should return 0 on timeout, a positive
- * number if data can be received, and -1 on error.
- * If the #data_size is non-zero that function should copy that
- * amount of data received in peek mode (i.e., if any other
- * function is called to receive data, it should return them again).
- *
+ * whether data are ready to be received. It should wait for data a
+ * given time frame in milliseconds. The callback should return 0 on 
+ * timeout, a positive number if data can be received, and -1 on error.
+ * You'll need to override this function if select() is not suitable
+ * for the provided transport calls. 
  * The callback function is used in DTLS only.
  *
  * @gnutls_pull_timeout_func is of the form,
- * ssize_t (*gnutls_pull_timeout_func)(gnutls_transport_ptr_t, void*data, 
size_t size, unsigned int ms);
+ * ssize_t (*gnutls_pull_timeout_func)(gnutls_transport_ptr_t, unsigned int 
ms);
  *
  * Since: 3.0.0
  **/
diff --git a/m4/hooks.m4 b/m4/hooks.m4
index 6941e4f..a2f6182 100644
--- a/m4/hooks.m4
+++ b/m4/hooks.m4
@@ -41,11 +41,11 @@ AC_DEFUN([LIBGNUTLS_HOOKS],
   # Interfaces added:                             AGE++
   # Interfaces removed:                           AGE=0
   AC_SUBST(LT_CURRENT, 28)
-  AC_SUBST(LT_REVISION, 1)
+  AC_SUBST(LT_REVISION, 2)
   AC_SUBST(LT_AGE, 0)
 
   AC_SUBST(LT_SSL_CURRENT, 27)
-  AC_SUBST(LT_SSL_REVISION, 0)
+  AC_SUBST(LT_SSL_REVISION, 1)
   AC_SUBST(LT_SSL_AGE, 0)
 
   AC_SUBST(CXX_LT_CURRENT, 28)
diff --git a/tests/openpgp-certs/testcerts b/tests/openpgp-certs/testcerts
index 3ae5065..3a3afad 100755
--- a/tests/openpgp-certs/testcerts
+++ b/tests/openpgp-certs/testcerts
@@ -35,7 +35,7 @@ fi
 
 echo "Checking OpenPGP certificate verification"
 
-launch_server $$ --pgpcertfile $srcdir/srv-public-127.0.0.1-signed.gpg 
--pgpkeyfile $srcdir/srv-secret.gpg >/dev/null 2>&1 & PID=$!
+launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile 
$srcdir/srv-public-127.0.0.1-signed.gpg --pgpkeyfile $srcdir/srv-secret.gpg 
>/dev/null 2>&1 & PID=$!
 wait_server $PID
 
 # give the server a chance to initialize
@@ -46,22 +46,22 @@ wait_server $PID
 #$CLI -p $PORT 127.0.0.1 --pgpkeyring ca-public.gpg </dev/null >/dev/null || \
 #  fail "Connection to verified IP address should have succeeded! (error code 
$?)" $?
 
-$CLI $DEBUG -p $PORT 127.0.0.2 --pgpkeyring $srcdir/ca-public.gpg </dev/null 
>/dev/null 2>&1 && \
+$CLI $DEBUG -p $PORT 127.0.0.2 --priority NORMAL:+CTYPE-OPENPGP --pgpkeyring 
$srcdir/ca-public.gpg </dev/null >/dev/null 2>&1 && \
   fail $PID "Connection to unrecognized IP address should have failed!"
 
-$CLI $DEBUG -p $PORT localhost --pgpkeyring $srcdir/ca-public.gpg </dev/null 
>/dev/null 2>&1 && \
+$CLI $DEBUG -p $PORT localhost --priority NORMAL:+CTYPE-OPENPGP --pgpkeyring 
$srcdir/ca-public.gpg </dev/null >/dev/null 2>&1 && \
   fail $PID "Connection to unverified (but present) 'localhost' should have 
failed!"
 
 kill $PID
 wait
 
-launch_server $$ --pgpcertfile $srcdir/srv-public-localhost-signed.gpg 
--pgpkeyfile $srcdir/srv-secret.gpg >/dev/null 2>&1 & PID=$!
+launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile 
$srcdir/srv-public-localhost-signed.gpg --pgpkeyfile $srcdir/srv-secret.gpg 
>/dev/null 2>&1 & PID=$!
 wait_server $PID
 
-echo | $CLI $DEBUG -p $PORT 127.0.0.1 --pgpkeyring $srcdir/ca-public.gpg 
</dev/null >/dev/null 2>&1 && \
+echo | $CLI $DEBUG --priority NORMAL:+CTYPE-OPENPGP -p $PORT 127.0.0.1 
--pgpkeyring $srcdir/ca-public.gpg </dev/null >/dev/null 2>&1 && \
   fail $PID "Connection to unverified IP address should have failed! (error 
code $?)" $?
 
-$CLI $DEBUG -p $PORT 127.0.0.2 --pgpkeyring $srcdir/ca-public.gpg </dev/null 
>/dev/null 2>&1 && \
+$CLI $DEBUG --priority NORMAL:+CTYPE-OPENPGP -p $PORT 127.0.0.2 --pgpkeyring 
$srcdir/ca-public.gpg </dev/null >/dev/null 2>&1 && \
   fail $PID "Connection to unrecognized IP address should have failed!"
 
 #see reason above
@@ -71,14 +71,14 @@ $CLI $DEBUG -p $PORT 127.0.0.2 --pgpkeyring 
$srcdir/ca-public.gpg </dev/null >/d
 kill $PID
 wait
 
-launch_server $$ --pgpcertfile $srcdir/srv-public-all-signed.gpg --pgpkeyfile 
$srcdir/srv-secret.gpg >/dev/null 2>&1 & PID=$!
+launch_server $$ --priority NORMAL:+CTYPE-OPENPGP --pgpcertfile 
$srcdir/srv-public-all-signed.gpg --pgpkeyfile $srcdir/srv-secret.gpg 
>/dev/null 2>&1 & PID=$!
 wait_server $PID
 
 # give the server a chance to initialize
-echo | $CLI $DEBUG -p $PORT 127.0.0.1 --pgpkeyring $srcdir/ca-public.gpg 
</dev/null >/dev/null || \
+echo | $CLI $DEBUG --priority NORMAL:+CTYPE-OPENPGP -p $PORT 127.0.0.1 
--pgpkeyring $srcdir/ca-public.gpg </dev/null >/dev/null || \
   fail $PID "Connection to signed PGP certificate should have succeeded! 
(error code $?)" $?
 
-$CLI $DEBUG -p $PORT 127.0.0.2 --pgpkeyring $srcdir/ca-public.gpg </dev/null 
>/dev/null && \
+$CLI $DEBUG --priority NORMAL:+CTYPE-OPENPGP -p $PORT 127.0.0.2 --pgpkeyring 
$srcdir/ca-public.gpg </dev/null >/dev/null && \
   fail $PID "Connection to unrecognized IP address should have failed!"
 
 kill $PID
diff --git a/tests/openpgpself.c b/tests/openpgpself.c
index 5d36c30..155be76 100644
--- a/tests/openpgpself.c
+++ b/tests/openpgpself.c
@@ -170,7 +170,7 @@ client (void)
       gnutls_init (&session, GNUTLS_CLIENT);
 
       /* Use default priorities */
-      gnutls_priority_set_direct (session, "NORMAL", NULL);
+      gnutls_priority_set_direct (session, "NORMAL:+CTYPE-OPENPGP", NULL);
 
       /* put the x509 credentials to the current session
        */
@@ -270,7 +270,7 @@ initialize_tls_session (void)
   /* avoid calling all the priority functions, since the defaults
    * are adequate.
    */
-  gnutls_priority_set_direct (session, "NORMAL", NULL);
+  gnutls_priority_set_direct (session, "NORMAL:+CTYPE-OPENPGP", NULL);
 
   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, pgp_cred);
 


hooks/post-receive
-- 
GNU gnutls
[Prev in Thread]
Current Thread
[Next in Thread]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_0-137-g6d0c9ec, Nikos Mavrogiannopoulos <=
Prev by Date: [SCM] GNU gnutls branch, gnutls_3_0_x, updated. gnutls_3_0_1-67-g3fc2556
Next by Date: [SCM] GNU gnutls annotated tag, gnutls_3_0_2, created. gnutls_3_0_2
Previous by thread: [SCM] GNU gnutls branch, gnutls_3_0_x, updated. gnutls_3_0_1-67-g3fc2556
Next by thread: [SCM] GNU gnutls annotated tag, gnutls_3_0_2, created. gnutls_3_0_2
Index(es):
- Date
- Thread